<!doctype html>
<html lang="en" class="page-type-section">
<head prefix="og: http://ogp.me/ns#">
<meta charset="utf-8">
<title>2.3.19 - FreeMarker 手册</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="format-detection" content="telephone=no">
<meta property="og:site_name" content="FreeMarker 手册">
<meta property="og:title" content="2.3.19">
<meta property="og:locale" content="en_US">
<meta property="og:url" content="http://freemarker.org/docs/versions_2_3_19.html">
<link rel="canoical" href="http://freemarker.org/docs/versions_2_3_19.html">
<link rel="icon" href="favicon.png" type="image/png">
<link rel="stylesheet" type="text/css" href="docgen-resources/docgen.min.css">
</head>
<body itemscope itemtype="https://schema.org/Code">
    <meta itemprop="url" content="http://freemarker.org/docs/">
    <meta itemprop="name" content="FreeMarker 手册">

  <!--[if lte IE 9]>
  <div style="background-color: #C00; color: #fff; padding: 12px 24px;">Please use a modern browser to view this website.</div>
  <![endif]--><div class="header-top-bg"><div class="site-width header-top"><a class="logo" href="http://freemarker.org" role="banner">            <img itemprop="image" src="logo.png" alt="FreeMarker">
</a><ul class="tabs"><li><a href="http://freemarker.org/">Home</a></li><li class="current"><a href="index.html">Manual</a></li><li><a class="external" href="http://freemarker.org/docs/api/index.html">Java API</a></li></ul><ul class="secondary-tabs"><li><a class="tab icon-heart" href="http://freemarker.org/contribute.html" title="Contribute"><span>Contribute</span></a></li><li><a class="tab icon-bug" href="https://sourceforge.net/p/freemarker/bugs/new/" title="Report a Bug"><span>Report a Bug</span></a></li><li><a class="tab icon-download" href="http://freemarker.org/freemarkerdownload.html" title="Download"><span>Download</span></a></li></ul></div></div><div class="header-bottom-bg"><div class="site-width search-row"><a href="toc.html" class="navigation-header">Manual</a><div class="navigation-header"></div></div><div class="site-width breadcrumb-row"><ul class="breadcrumb" itemscope itemtype="http://schema.org/BreadcrumbList"><li class="step-0" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="toc.html"><span itemprop="name">FreeMarker 手册</span></a></li><li class="step-1" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="app.html"><span itemprop="name">附录</span></a></li><li class="step-2" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="app_versions.html"><span itemprop="name">版本历史</span></a></li><li class="step-3" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a class="label" itemprop="item" href="versions_2_3_19.html"><span itemprop="name">2.3.19</span></a></li></ul><div class="bookmarks" title="Bookmarks"><span class="sr-only">Bookmarks:</span><ul class="bookmark-list"><li><a href="alphaidx.html">Alpha. index</a></li><li><a href="gloss.html">Glossary</a></li><li><a href="dgui_template_exp.html#exp_cheatsheet">Expressions</a></li><li><a href="ref_builtins_alphaidx.html">?builtins</a></li><li><a href="ref_directive_alphaidx.html">#directives</a></li><li><a href="ref_specvar.html">.spec_vars</a></li><li><a href="app_faq.html">FAQ</a></li></ul></div></div></div>    <div class="main-content site-width">
      <div class="content-wrapper">
  <div id="table-of-contents-wrapper" class="col-left">
      <script>var breadcrumb = ["FreeMarker 手册","附录","版本历史","2.3.19"];</script>
      <script src="toc.js"></script>
      <script src="docgen-resources/main.min.js"></script>
  </div>
<div class="col-right"><div class="page-content"><div class="page-title"><div class="pagers top"><a class="paging-arrow previous" href="versions_2_3_20.html"><span>Previous</span></a><a class="paging-arrow next" href="versions_2_3_18.html"><span>Next</span></a></div><div class="title-wrapper">
<h1 class="content-header header-section1" id="versions_2_3_19" itemprop="headline">2.3.19</h1>
</div></div><div class="page-menu">
<div class="page-menu-title">Page Contents</div>
<ul><li><a class="page-menu-link" href="#autoid_157" data-menu-target="autoid_157">FTL部分的修改</a></li><li><a class="page-menu-link" href="#autoid_158" data-menu-target="autoid_158">Java部分的修改</a></li></ul> </div><p>发布日期：2012-02-29</p><p>不要忘了 <a href="#v2319secfix">安全相关的修复</a>，
		它可能会影响到你的应用程序！</p>
          



<h2 class="content-header header-section2" id="autoid_157">FTL部分的修改</h2>


          <ul>
            <li>
              <p><em>注意</em>：在 2.3.17 版引入的 <a href="ref_builtins_date.html#ref_builtin_date_iso">ISO 8601 日期/时间格式内建函数</a> 
			  的输出，有轻微的调整。从现在开始，时区偏移，用于显示而且不是 
			  <code class="inline-code">Z</code> 时，通常包含了分钟。比如在模板输出中，
			  <code class="inline-code">15:30:15+02</code> 现在就变成 <code class="inline-code">15:30:15+02:00</code> 
			  了。根据ISO 8601(那么ISO 8601 日期/时间格式的内容应该不会有问题)两种格式都是合法的，
			  但是最后的格式使用了 XML Schema 日期/时间格式来编译，因此做了这个修改。</p>
            </li>

            <li>
              <p>新的内建函数，用来转义JSON字符串：<a href="ref_builtins_string.html#ref_builtin_json_string"><code>json_string</code></a>。</p>
            </li>

            <li>
              <p>Bug修复：如果在同一个模板之前没有正确的 <code class="inline-code">#</code> 标记，
			  错误的 <code class="inline-code">#</code> 标记被打印成静态的文本，而不会引发解析错误。
			  因为这个修复并不会100%的向后兼容，老版本中的行为会被保留下来，
			  除非你将 <code class="inline-code">incompatible_enhancements</code>
			  (也就是<code class="inline-code">Configuration.setIncompatibleEnhancements(String)</code>)
			  设置成 <code class="inline-code">&quot;2.3.19&quot;</code> 或更高版本。</p>
            </li>
          </ul>
        
          



<h2 class="content-header header-section2" id="autoid_158">Java部分的修改</h2>


          <ul>
            <li>
              <p><a name="v2319secfix"></a><em>注意</em>：
			  本次发布包含两个重要的安全修复，很明显，
			  这些安全问题会导致一些应用程序被利用。
			  <em>FreeMarker不能在所有的配置中解决这个问题，
			  所以请阅读下面的细节而不仅仅是升级FreeMarker！</em>
			  理论上，这些修改并不是100%向后兼容的，
			  但是破坏任何东西也是不可能的。这两个修改是：</p>

              <ul>
                <li>
                  <p>The character with character code 0
                  (<code class="inline-code">\u0000</code>) is not allowed in template paths
                  anymore. When a path contains it, FreeMarker behaves as if
                  the template was not found.</p>

                  <p>This is to fix the security problem where a template
                  path like <code class="inline-code">&quot;secret.txt\u0000.ftl&quot;</code> is used
                  to bypass extension filtering in an application. FreeMarker
                  itself doesn&#39;t care about the extension, but some
                  applications decide based on the extension if they will
                  delegate a path to FreeMarker. When they do with such a
                  path, the C/C++ implementation behind the storage mechanism
                  may sees the path as <code class="inline-code">&quot;secret.txt&quot;</code> as the
                  0 terminates the string in C/C++, and thus load a non-FTL
                  file as a template, returning the file contents to the
                  attacker.</p>

                  <p>Note that some HTTP servers, notably Tomcat and the
                  Apache HTTP Server blocks URL-s where the URL contains 0
                  (<code class="inline-code">%00</code>) outside the query string, thus this
                  wasn&#39;t exploitable there through such Web URL-s. Some other
                  HTTP servers however, like Jetty, doesn&#39;t block such
                  URL-s.</p>
                </li>

                <li>
                  <p><code class="inline-code">ClassTemplateLoader</code>, when it&#39;s
                  created with base path <code class="inline-code">&quot;/&quot;</code> (like with
                  <code class="inline-code">new ClassTemplateLoader(someClass, &quot;/&quot;)</code>),
                  will not allow template paths that contain colon earlier
                  than any <code class="inline-code">/</code>, and will act like if the
                  template was not found in such case.</p>

                  <p>This is to fix the security problem where a template
                  path like <code class="inline-code">&quot;file:/etc/secret&quot;</code> or
                  <code class="inline-code">&quot;http://example.com/malware.ftl&quot;</code> is
                  interpreted as a full URL by a
                  <code class="inline-code">java.net.URLClassLoader</code> in the
                  class-loader hierarchy, and thus allow loading files from
                  these URL-s as templates. This is a quirk (or bug) of
                  <code class="inline-code">java.net.URLClassLoader</code>, thus this
                  problem only exists on systems that use such
                  class-loaders.</p>

                  <p>Beware, some frameworks use their own
                  <code class="inline-code">TemplateLoader</code> implementations, and if
                  those are vulnerable, they will remain so after updating
                  FreeMarker too! Note that this exploit only works if the
                  class-loader hierarchy contains an
                  <code class="inline-code">URLClassLoader</code> and the class-loader is
                  used to load templates without adding any prefix before the
                  template path (other than <code class="inline-code">&quot;/&quot;</code>).</p>
                </li>
              </ul>

              <p>These security issues mostly only affect applications
              <em>where the user (the visitor) can supply arbitrary
              template paths to the application</em>. This is not the
              case with properly built MVC applications, as there only the MVC
              Controller can be addressed directly, and it&#39;s the Controller
              that specifies the template paths. But legacy MVC applications
              based on <a href="pgui_misc_servlet.html#pgui_misc_servlet_model2">JSP
              Model-2</a> often expose the MVC Views as public URL-s ending
              with <code class="inline-code">.ftl</code>, thus allowing the user to give
              arbitrary paths to FreeMarker. Such applications should be
              secured with a <code class="inline-code">security-constratint</code> in
              <code class="inline-code">web.xml</code> as shown in the <a href="pgui_misc_servlet.html#pgui_misc_servlet_model2">related Manual
              section</a>. This should be done regardless of the current
              security fixes.</p>

              <p>In general, you should not allow users to specify
              arbitrary template paths, or if you do allow that, you should be
              extra careful with the <code class="inline-code">TemplateLoader</code>
              used.</p>
            </li>

            <li>
              <p><code class="inline-code">Configuration</code> has new methods:
              <code class="inline-code">removeTemplateFromCache(...)</code>. This will
              remove the given template for the given locale from the cache,
              so it will be re-loaded regardless of the template update delay
              when it&#39;s next time requested.</p>
            </li>

            <li>
              <p><code class="inline-code">BeansWrapper</code> ignores setter methods
              from now when introspecting classes. They weren&#39;t used anyway,
              so they unnecessarily caused
              &quot;<code class="inline-code">java.beans.IntrospectionException</code>: type
              mismatch between read and write methods&quot; errors.</p>
            </li>

            <li>
              <p><code class="inline-code">TemplateClassResolver.SAFER_RESOLVER</code>
              now disallows creating
              <code class="inline-code">freemarker.template.utility.JythonRuntime</code> and
              <code class="inline-code">freemarker.template.utility.Execute</code>. This
              change affects the behavior of the <a href="ref_builtins_expert.html#ref_builtin_new"><code>new</code> built-in</a>
              if FreeMarker was configured to use
              <code class="inline-code">SAFER_RESOLVER</code>, which is not the default
              until 2.4 and is hence improbable.</p>
            </li>

            <li>
              <p>Bug fixed: Calling varargs methods now indeed works.
              (Earlier it only worked for overloaded methods.)</p>
            </li>

            <li>
              <p>Bug fixed <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=1837697&amp;group_id=794&amp;atid=100794">[1837697]</a>
              <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=2831150&amp;group_id=794&amp;atid=100794">[2831150]</a>
              <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3039096&amp;group_id=794&amp;atid=100794">[3039096]</a>
              <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3165425&amp;group_id=794&amp;atid=100794">[3165425]</a>:
              Jython support now works with Jython 2.2 and 2.5.</p>
            </li>

            <li>
              <p>Bug fixed <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3325103&amp;group_id=794&amp;atid=100794">[3325103]</a>:
              <code class="inline-code">TemplateException</code>-s and
              <code class="inline-code">ParseException</code>-s are now serializable.</p>
            </li>
          </ul>
        <div class="bottom-pagers-wrapper"><div class="pagers bottom"><a class="paging-arrow previous" href="versions_2_3_20.html"><span>Previous</span></a><a class="paging-arrow next" href="versions_2_3_18.html"><span>Next</span></a></div></div></div></div>      </div>
    </div>
<div class="site-footer"><div class="site-width"><div class="footer-top"><div class="col-left sitemap"><div class="column"><h3 class="column-header">Overview</h3><ul><li><a href="http://freemarker.org/index.html">What is FreeMarker?</a></li><li><a href="http://freemarker.org/freemarkerdownload.html">Download</a></li><li><a href="app_versions.html">Version history</a></li><li><a href="http://freemarker.org/history.html">About us</a></li><li><a itemprop="license" href="app_license.html">License</a></li></ul></div><div class="column"><h3 class="column-header">Handy stuff</h3><ul><li><a href="http://freemarker-online.kenshoo.com/">Try template online</a></li><li><a href="dgui_template_exp.html#exp_cheatsheet">Expressions cheatsheet</a></li><li><a href="ref_directive_alphaidx.html">#directives</a></li><li><a href="ref_builtins_alphaidx.html">?built_ins</a></li><li><a href="ref_specvar.html">.special_vars</a></li></ul></div><div class="column"><h3 class="column-header">Community</h3><ul><li><a href="https://github.com/nanlei/freemarker/tree/manual-zh-2.3-gae/src/manual">Chinese Manual on Github</a></li><li><a href="https://github.com/freemarker/freemarker">FreeMarker on Github</a></li><li><a href="https://twitter.com/freemarker">Follow us on Twitter</a></li><li><a href="https://sourceforge.net/p/freemarker/bugs/new/">Report a bug</a></li><li><a href="http://stackoverflow.com/questions/ask?tags=freemarker">Ask a question</a></li><li><a href="http://freemarker.org/mailing-lists.html">Mailing lists</a></li></ul></div></div><div class="col-right"><ul class="social-icons"><li><a class="github" href="https://github.com/freemarker/freemarker">Github</a></li><li><a class="twitter" href="https://twitter.com/freemarker">Twitter</a></li><li><a class="stack-overflow" href="http://stackoverflow.com/questions/ask?tags=freemarker">Stack Overflow</a></li></ul><a class="xxe" href="http://www.xmlmind.com/xmleditor/" rel="nofollow" title="Edited with XMLMind XML Editor"><span>Edited with XMLMind XML Editor</span></a></div></div><div class="footer-bottom"><p><span class="generated-for-product">Generated for: Freemarker 2.3.23</span><span class="last-updated"> Last generated:
<time itemprop="dateModified" datetime="2015-09-18T14:38:51Z" title="Friday, September 18, 2015 2:38:51 PM GMT">2015-09-18 14:38:51 GMT</time></span></p> <p class="copyright">
© <span itemprop="copyrightYear">1999</span>–2015
<a itemtype="http://schema.org/Organization" itemprop="copyrightHolder" href="http://freemarker.org">The FreeMarker Project</a>. All rights reserved. </p>
</div></div></div></body>
</html>
